June 13 — Dana started like many computer system administrators do, providing tech support to employees. Then, life was simple — rebooting computers, installing software, recovering lost data. But one day, Dana discovered that the lost data included customer credit card numbers, and they most likely had been stolen by a computer criminal. Now what? Warn the customers, and lose the job, or quietly fix the problem and hope for the best?

CERTIFICATE PROGRAMS for network administrators deal with firewalls, access control lists, even strong password requirements — but moral dilemmas? It’s the “bad day at work” every computer security employee knows will come, but dreads.

Dana, the network administrator, was hired as a contractor by an as-yet-unnamed Web site when the site’s former administrator quit. He discovered the break-in while reading up on his new job. He requested anonymity.

“I’ve been thrown into a net. adm. position and am in charge of a server containing credit cards (used for repeat billing). I know the server has been compromised,” Dana wrote anonymously to CardCops.com, a Web site devoted to protecting credit card security that has an “amnesty” e-mail address which solicits such anonymous confessions. There’s no way to be sure, but on a scale of 1 to 10, Dana said the likelihood that the site’s 2,000 credit cards were stolen was about an 8. Is a system administrator who knows of a credit card data leak obligated to disclose it? Only to his or her superiors. The ethical and legal responsibilities fall to the business. Yes, but only to the credit card companies. Yes, customers and potential victims must be told.

He told his boss to notify their customers, now potential victims of credit card theft. The boss said no.

“He said to me, ‘How do we know if the numbers are really out there?’ That was his argument. ‘I don’t know anything bad has happened, and I know if I take action something bad will happen to me,’” Dana said. “It’s real easy to believe maybe nothing bad has happened and nothing bad will happen.”

When a potential data leak occurs, it is tempting to just keep quiet — you’ll almost certainly never hear about the consequences. Stolen credit card numbers make their way around the Internet, and are eventually used to steal merchandise. But the “victim” card holder simply calls Visa, MasterCard, or American Express, and has the charges removed. Only the merchant, left holding the bill for selling merchandise to a thief, suffers. And the odds of the network administrator hearing about that victim are almost zero.

“I think there are many stories like this one out there, where he knows about a compromise...and won’t tell anyone for fear of losing his job,” says Dan Clements, who operates CardCops.com. He says he’s spoken to 20 such administrators in recent months who have made the choice to keep the secret.

Security experts agree the situation is common, but there is hardly consensus about what should happen next.

Joel de la Garza, a computer security consultant, said the employee must at least be sure the credit card companies are informed to prevent crime from taking place — even if it means going around the boss.

“If the company wouldn’t fess up, I’d use an anonymous remailer and tell the credit card companies behind my employer’s back,” he said. “Allowing bad things to happen is just as morally reprehensible as committing them yourself. Problems arise when clear cut moral decisions, such has notifying law enforcement, come into conflict with things like keeping your job.”

But the issue is hardly black and white, says Alan Paller, who heads the SANS Institute, which hosts classes for network administrators. Companies that have leaked data need to fulfill their contractual obligations with credit card companies, Paller said, but he’s not convinced the victims need to know. In fact, it may accomplish little other than “making people worry,” he said.

“If you can avoid harm to someone then you have some form of ethical obligation to act... But just letting people know things isn’t necessarily going to make things better,” he said. “Given that the person who’s card is stolen has no economic liability, and we don’t know if it was actually stolen, my guess is the only obligation is to meet the requirement under their privacy policy. I don’t think people have an obligation to say ‘I screwed up.’”

And the system administrator certainly isn’t burdened with that responsibility, says Paul Wouters, administrator and legal council for Dutch ISP consultant firm Xtended Internet. Each Web site should have clear policies do deal with a break-in in place, he said, and workers should know what they are in advance. Employees should follow the policy.

“It is not the sysadmin’s dilemma. It’s his legal department’s or his supplier’s legal department’s issue,” Wouters said. Credit card companies and merchant banks have policies for reporting stolen data, he said, and the administrator should simply follow those rules. “Something like ‘tell us, don’t tell the individuals’ so (the companies) can keep extra taps on the possibly stolen data.”

Larry Ponemon, CEO of the Privacy Council, concedes that businesses have little to gain and much to lose by going public with a break-in — but he thinks they should do so anyway. “In the event of a breach, there is an ethical obligation of disclosure. If (victims) have the information on a compromise in the early stages, they may be able to do something,” Ponemon said. In some organizations, ignorance is bliss, he said. When a company learns that a data leak might have occurred, they forbid further investigation, to prevent discovery of a “smoking gun.”

“If you can make an argument that it isn’t an absolutely certainty that information was stolen, there are some who will believe they are operating in safety zone by not disclosing. The safety zone is rationalization.” His firm recently audited a medical company that sold private data to a marketing firm, against its own privacy policy. He has tried unsuccessfully to convince the firm to come clean. “I don’t think we’ll be doing their second audit.” But what about the administrator, who knows about the data leak, and also knows nothing is being done to protect the victims. Are they obligated to come forward? That seems a bit unfair, he said.

“If the person has a belief there’s probably a break in, they might believe they have responsibility or culpability also,” he said. “But they are also afraid they will lose their job, and in this job market people are frightened. You probably see people making the decision not to do anything about it.”

On the other hand, says Clements, “He’s the one that has to sleep at night.” In Dana’s case, he decided to let the issue drop after the boss fought off his arguments for disclosure. “I felt like the damage had already been done,” he said. Some of the data was two years old, and may not even be valid any longer. “I just wanted to make sure to set things right going forward. I’m not sure it’s the right way to feel, but it’s the way I feel.”